Analysis Overview
SHA256
eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72
Threat Level: Known bad
The file eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N was found to be: Known bad.
Malicious Activity Summary
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 11:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 11:50
Reported
2024-09-19 11:52
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1bf87e2a = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\gahyqah.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gatyfus.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1628 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1628 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1628 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe
"C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.58:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/1628-1-0x0000000000230000-0x0000000000233000-memory.dmp
memory/1628-0-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1628-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | a1152516b92cff51e45e774e5d6111a3 |
| SHA1 | 3b025df0c1498e8d1642d73e1f4f6fd2f54f6d92 |
| SHA256 | 259d307e700014ffbdbae63b30cc55701f184727d5c7ea165e04c6f0918d52a2 |
| SHA512 | 9681e484c95eaedaf30e9104ffe4ea622713d16c676ce18a187a159383605ac8a29e167c99d033382ebdc35854180a5982d2606c2da1556d2086215e39675943 |
memory/2564-20-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1628-19-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1628-18-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1628-17-0x0000000000230000-0x0000000000233000-memory.dmp
memory/1628-14-0x0000000000470000-0x00000000004D5000-memory.dmp
memory/2564-21-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2564-22-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2564-23-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-29-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-33-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-31-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-34-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2564-27-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-25-0x0000000002410000-0x00000000024BA000-memory.dmp
memory/2564-35-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-37-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-39-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-45-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-50-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-87-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-86-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-85-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-84-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-83-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-82-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-81-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-80-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-79-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-78-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-77-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-75-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-74-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-73-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-72-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-71-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-70-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-69-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-68-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-67-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-66-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-65-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-64-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-62-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-61-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-60-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-59-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-58-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-57-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-56-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-55-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-54-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-53-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-52-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-49-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-48-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-47-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-46-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-76-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-44-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-63-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-43-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-42-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-51-0x00000000025C0000-0x0000000002677000-memory.dmp
memory/2564-41-0x00000000025C0000-0x0000000002677000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 11:50
Reported
2024-09-19 11:52
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4a980ec8 = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gatyfus.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3400 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3400 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3400 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe
"C:\Users\Admin\AppData\Local\Temp\eed33bec73b9ad7d23e732d3ad847e7124d35936d47fc3693890feec09480c72N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 88.221.134.250:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 250.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/3400-0-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3400-1-0x0000000000610000-0x0000000000613000-memory.dmp
memory/3400-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 6f2de013061f2d07776f440aecf1094a |
| SHA1 | f7e0723167793c6643a9538e854c00540d7f3b5d |
| SHA256 | 03a766f4ab5f33960fa21bfb0ddc5470f82717292b7cc3f3d0f3a138baacc2a5 |
| SHA512 | fa2cf43924dcbe11295e9f665a87195bd0aadd1c6be93a0e5f3390346a52847bd8ee8148806027d22311f22221f6c4b8ebfb24f89459028ae877d7b2a1a343c2 |
memory/4764-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4764-15-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3400-19-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3400-18-0x0000000000610000-0x0000000000613000-memory.dmp
memory/3400-17-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4764-20-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4764-21-0x0000000002A00000-0x0000000002AAA000-memory.dmp
memory/4764-22-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4764-23-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-25-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-27-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-35-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-38-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-84-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-83-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-81-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-80-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-79-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-78-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-77-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-76-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-75-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-74-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-73-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-72-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-71-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-70-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-69-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-68-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-66-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-65-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-64-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-63-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-62-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-61-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-60-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-59-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-58-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-57-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-56-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-55-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-54-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-52-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-50-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-51-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-49-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-48-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-47-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-46-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-45-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-43-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-42-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-41-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-40-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-39-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-37-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-36-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-34-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-32-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-33-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-31-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-30-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-29-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-82-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-67-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-53-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-44-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/4764-28-0x0000000002BB0000-0x0000000002C67000-memory.dmp